0. Hashes?

Every file on a computer has what is called a Hash — a fixed-length fingerprint derived from the file's content.

In practice, the most common algorithm is SHA-256, which produces a 64-character hexadecimal string. Even a single changed byte produces a completely different hash, making it reliable for identification.

Example — SHA-256 of the famous ransomware WannaCry:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Antivirus programs maintain databases of known-malicious hashes. If a file on your system matches one of those hashes, the antivirus knows it is a virus — even if the file is disguised under an innocent name.

In Contagion, this mechanic is turned into a mini-game: you run a scan, receive a hash report, and decide whether to flag it as malicious or ignore it.

1. Data sources

All hash data in Contagion is stored locally. There are no external API calls.

{
    "sha256":     "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
    "name":       "wannacry_loader.exe",
    "signature":  "WannaCry",
    "fileType":   "exe/pe32",
    "detections": "68/72",
    "firstSeen":  "2017-05-12",
    "tags":       ["ransomware", "worm", "exploit"]
}

To add new viruses to the game, append entries to viruses.json following the same schema.

2. Commands

/hash scan

Executes a hash scan of VX's Computer. Has a 50 / 50 chance of producing a real virus hash or a clean false-positive.

How it works behind the scenes

1. Coin flip (Math.random() < 0.5)
   ├── WIN  → pickVirusSample()
   │           Picks a random entry from viruses.json
   │           isVirus = true
   └── LOSE → randomSHA256() + fake system filename
               isVirus = false

2. Build and display the HASH ANALYSIS REPORT (Component V2 container)
   Fields shown:  Hash · Sample · Type · Detections

3. Two buttons are displayed:
   ┌──────────────────┐  ┌───────────┐
   │ 🚩 Flag and Send │  │  ✕ Ignore │
   └──────────────────┘  └───────────┘
   
4. Scan expires automatically after 5 minutes.

Button outcomes

Only the user who ran /hash scan can interact with the buttons.  
If another user clicks, they receive an ephemeral error.

Stored inventory entry (on correct flag)

{
    "type":       "hash",
    "hash":       "<sha256>",
    "name":       "<filename>",
    "signature":  "<malware family>",
    "fileType":   "<exe/pe32 etc.>",
    "detections": "<X/Y>",
    "obtainedAt": "<ISO timestamp>"
}

Usage

Command:            /hash scan
Permission:         Member +
Aliases:            None
Cooldown:           None (one active scan per user at a time)

/hash inventory [user]

Displays the last 10 captured virus hashes for a given user.  
Defaults to the command invoker if no user option is provided.

Display format

Each row shows:

01  ed01ebfbc9eb5bb…  wannacry_loader.exe  [68/72 det.]
02  027cc450ef5f8c…  petya_payload.exe    [61/70 det.]

Note :

Only entries with "type": "hash" in the user's inventory are shown.  
Vulnerability items and other inventory types are ignored.

Usage

Command:            /hash inventory [user]
Options:            user — Discord user mention or ID (optional)
Permission:         Member +
Aliases:            None

/hash info <hash>

Looks up a SHA-256 hash against the local viruses.json database and displays full details.

Behaviour

• If the hash matches a known entry -> full report (name, type, malware family, detections, first seen, tags).
• If the hash is not in the database -> error message.
• If the input is not a valid 64-character hex string -> immediate error reply.

Display format (known hash)

Hash        : ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Sample      : wannacry_loader.exe
Type        : exe/pe32
Malware     : WannaCry
Detections  : 68/72 vendors
First seen  : 2017-05-12
Tags        : ransomware, worm, exploit

Usage

Command:            /hash info <hash>
Options:            hash — SHA256 string, 64 hex characters (required)
Permission:         Member +
Aliases:            None